47e05db7c8d972be5e04866381689e41d53601259bc229247ac78001516a1319

Analysis

max time kernel
158s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2023, 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f500816077e04e2765953f13c92cdc10.exe
Size

2.6MB
MD5

f500816077e04e2765953f13c92cdc10
SHA1

291c5f984c339ba9b498a0d06f7c85ec7dd04cf8
SHA256

47e05db7c8d972be5e04866381689e41d53601259bc229247ac78001516a1319
SHA512

93611fc45eae013bbc5bad7fd110bd745634b8d37b9c749adf3ff0493a127d77c796768ec1a642dbd2b41fb617f19e643bd39ab780b9debc2736f31df40ba750
SSDEEP

49152:lS5IvAG44oOCdcSzNIJG70V6Do4yV/5mc5aNZJ350zg5bEJ60IZGnpw/Yr:lS5G4DOT5JGIVzh/5aZX0zgd0IZGpwG

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NEAS.f500816077e04e2765953f13c92cdc10.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NEAS.f500816077e04e2765953f13c92cdc10.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NEAS.f500816077e04e2765953f13c92cdc10.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe

Executes dropped EXE 4 IoCs

pid	Process
1284	explorer.exe
4492	spoolsv.exe
1664	svchost.exe
3440	spoolsv.exe

Themida packer 23 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2020-0-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/files/0x0009000000022cce-8.dat	themida
behavioral2/files/0x0009000000022cce-9.dat	themida
behavioral2/memory/1284-10-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/files/0x000e000000022cd5-15.dat	themida
behavioral2/files/0x000e000000022cd5-17.dat	themida
behavioral2/memory/2020-18-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/memory/4492-19-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/files/0x000e000000022cd5-20.dat	themida
behavioral2/files/0x0008000000022cd7-28.dat	themida
behavioral2/files/0x0008000000022cd7-27.dat	themida
behavioral2/memory/1664-29-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/files/0x000e000000022cd5-33.dat	themida
behavioral2/memory/3440-34-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/memory/2020-35-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/memory/2020-39-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/memory/3440-40-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/memory/4492-41-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/memory/1284-42-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/memory/1664-43-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/memory/1284-52-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/memory/1284-54-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/memory/1284-56-0x0000000000400000-0x0000000000A13000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEAS.f500816077e04e2765953f13c92cdc10.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
1284	explorer.exe
4492	spoolsv.exe
1664	svchost.exe
3440	spoolsv.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	NEAS.f500816077e04e2765953f13c92cdc10.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1284	explorer.exe
1664	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
2020	NEAS.f500816077e04e2765953f13c92cdc10.exe
1284	explorer.exe
1284	explorer.exe
4492	spoolsv.exe
4492	spoolsv.exe
1664	svchost.exe
1664	svchost.exe
3440	spoolsv.exe
3440	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1284	2020	NEAS.f500816077e04e2765953f13c92cdc10.exe	94
PID 2020 wrote to memory of 1284	2020	NEAS.f500816077e04e2765953f13c92cdc10.exe	94
PID 2020 wrote to memory of 1284	2020	NEAS.f500816077e04e2765953f13c92cdc10.exe	94
PID 1284 wrote to memory of 4492	1284	explorer.exe	95
PID 1284 wrote to memory of 4492	1284	explorer.exe	95
PID 1284 wrote to memory of 4492	1284	explorer.exe	95
PID 4492 wrote to memory of 1664	4492	spoolsv.exe	96
PID 4492 wrote to memory of 1664	4492	spoolsv.exe	96
PID 4492 wrote to memory of 1664	4492	spoolsv.exe	96
PID 1664 wrote to memory of 3440	1664	svchost.exe	97
PID 1664 wrote to memory of 3440	1664	svchost.exe	97
PID 1664 wrote to memory of 3440	1664	svchost.exe	97

C:\Users\Admin\AppData\Local\Temp\NEAS.f500816077e04e2765953f13c92cdc10.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f500816077e04e2765953f13c92cdc10.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1284
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1664
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
1ba63d6c546a13b52deceb5ab2b83c6b

SHA1
53c6c7bba89341f182146884003448c29a9c2351

SHA256
f105c27fb2e3b8cf9f9e705503f071d50facac7f9d79f339842ce9967d13c1ed

SHA512
eaf7921b22ea290aa021f5040c363b55aba92093882eccc987a7ad78ad433281326ba0abe6f36cbe5d4271e809506b3a194d1423ea49d0bc88d44964902bbdfa

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
b2932ee9e20748749f60251e4dbd123a

SHA1
c812974aededc7eb86bfc4773592dbdedb1a1151

SHA256
ee29d15bd9c5a82864ad845a13680b88acae48346e553deb650e9b399adbfdf0

SHA512
a2ad2a01876a6241d24fe330f7939ac7379a3cf647deade13ad00825097ef9f8f2c615851e2dcc3a85859027c77194d5859517f5e2ab597a750c77ac7eadb0e0

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
b2932ee9e20748749f60251e4dbd123a

SHA1
c812974aededc7eb86bfc4773592dbdedb1a1151

SHA256
ee29d15bd9c5a82864ad845a13680b88acae48346e553deb650e9b399adbfdf0

SHA512
a2ad2a01876a6241d24fe330f7939ac7379a3cf647deade13ad00825097ef9f8f2c615851e2dcc3a85859027c77194d5859517f5e2ab597a750c77ac7eadb0e0

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
b2932ee9e20748749f60251e4dbd123a

SHA1
c812974aededc7eb86bfc4773592dbdedb1a1151

SHA256
ee29d15bd9c5a82864ad845a13680b88acae48346e553deb650e9b399adbfdf0

SHA512
a2ad2a01876a6241d24fe330f7939ac7379a3cf647deade13ad00825097ef9f8f2c615851e2dcc3a85859027c77194d5859517f5e2ab597a750c77ac7eadb0e0

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
dee58dc9868c9fe8967c0c068d82e88f

SHA1
7c5415aa8a5396a5c2a63011be2caae4c1a16609

SHA256
3698f6a34acaff46a965958eaac946d2d1d90dc6f184e9c542a72275ca1b7e04

SHA512
f36b62bf7673cfba695df4fe185862b4738364246c720a3f2e51fc69ed979bb7d010f88389915f4b7c648a97996f6feeef4771c4462b5667fb5591d49cd75a88

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
2.6MB

MD5
b2932ee9e20748749f60251e4dbd123a

SHA1
c812974aededc7eb86bfc4773592dbdedb1a1151

SHA256
ee29d15bd9c5a82864ad845a13680b88acae48346e553deb650e9b399adbfdf0

SHA512
a2ad2a01876a6241d24fe330f7939ac7379a3cf647deade13ad00825097ef9f8f2c615851e2dcc3a85859027c77194d5859517f5e2ab597a750c77ac7eadb0e0

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
2.6MB

MD5
dee58dc9868c9fe8967c0c068d82e88f

SHA1
7c5415aa8a5396a5c2a63011be2caae4c1a16609

SHA256
3698f6a34acaff46a965958eaac946d2d1d90dc6f184e9c542a72275ca1b7e04

SHA512
f36b62bf7673cfba695df4fe185862b4738364246c720a3f2e51fc69ed979bb7d010f88389915f4b7c648a97996f6feeef4771c4462b5667fb5591d49cd75a88

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
2.6MB

MD5
1ba63d6c546a13b52deceb5ab2b83c6b

SHA1
53c6c7bba89341f182146884003448c29a9c2351

SHA256
f105c27fb2e3b8cf9f9e705503f071d50facac7f9d79f339842ce9967d13c1ed

SHA512
eaf7921b22ea290aa021f5040c363b55aba92093882eccc987a7ad78ad433281326ba0abe6f36cbe5d4271e809506b3a194d1423ea49d0bc88d44964902bbdfa

Download Submit
memory/1284-10-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1284-54-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1284-52-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1284-56-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1284-42-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1664-29-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1664-43-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/2020-35-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/2020-39-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/2020-0-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/2020-18-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/2020-1-0x00000000777D4000-0x00000000777D6000-memory.dmp

Filesize
8KB

Download
memory/3440-34-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/3440-40-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/4492-41-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/4492-19-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download